Slack: Stored XSS in Slackbot Direct Messages

ID H1:4561
Type hackerone
Reporter prakharprasad
Modified 2014-05-04T18:38:21


Whenever a new team is created, Slackbot uses automated profile completion by asking a few questions from the user like the first name, last name, skype account etc. But instead of providing the correct details we provide <javascript:alert(document.cookie);> as input then Slackbot will cause the data go inside the anchor tag <a href=javascript:alert(document.cookie);>...</a> so clicking on the link will trigger XSS.

Video POC: